From 8a462752a71e4201f8e97371daa328c4e3da61b9 Mon Sep 17 00:00:00 2001 From: Aaron Date: Fri, 28 Aug 2015 18:57:25 -0500 Subject: [PATCH 1/3] added checks to updateMessage and deleteMessage --- server/methods/deleteMessage.coffee | 8 ++++++-- server/methods/deleteUser.coffee | 11 +++-------- server/methods/updateMessage.coffee | 7 ++++++- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/server/methods/deleteMessage.coffee b/server/methods/deleteMessage.coffee index f440c41edfba6..2ad4555836260 100644 --- a/server/methods/deleteMessage.coffee +++ b/server/methods/deleteMessage.coffee @@ -6,6 +6,10 @@ Meteor.methods if not RocketChat.settings.get 'Message_AllowDeleting' throw new Meteor.Error 'message-deleting-not-allowed', "[methods] updateMessage -> Message deleting not allowed" + user = Meteor.users.findOne Meteor.userId() + + unless user?.admin is true or message.u._id is Meteor.userId() + throw new Meteor.Error 'not-authorized', '[methods] deleteMessage -> Not authorized' console.log '[methods] deleteMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments @@ -25,7 +29,7 @@ Meteor.methods _id: message._id 'u._id': Meteor.userId() , - $set: + $set: _hidden: true else @@ -39,7 +43,7 @@ Meteor.methods _id: message._id 'u._id': Meteor.userId() , - $set: + $set: msg: '' t: 'rm' ets: new Date() diff --git a/server/methods/deleteUser.coffee b/server/methods/deleteUser.coffee index 678196ba0779f..af4fee1ad0f68 100644 --- a/server/methods/deleteUser.coffee +++ b/server/methods/deleteUser.coffee @@ -2,12 +2,11 @@ Meteor.methods deleteUser: (userId) -> if not Meteor.userId() throw new Meteor.Error('invalid-user', "[methods] deleteUser -> Invalid user") - - user = Meteor.users.findOne Meteor.userId() + + user = Meteor.users.findOne userId() unless user?.admin is true throw new Meteor.Error 'not-authorized', '[methods] deleteUser -> Not authorized' - user = Meteor.users.findOne userId unless user? throw new Meteor.Error 'not-found', '[methods] deleteUser -> User not found' @@ -18,10 +17,6 @@ Meteor.methods if room.t isnt 'c' and room.usernames.length is 1 ChatRoom.remove subscription.rid # Remove non-channel rooms with only 1 user (the one being deleted) - - - - ChatSubscription.remove { "u._id": userId } # Remove user subscriptions rooms = ChatRoom.find({ "u._id": userId }).fetch() @@ -31,4 +26,4 @@ Meteor.methods ChatRoom.update {}, { $pull: { usernames: user.username } }, { multi: true } # Remove user from all other rooms Meteor.users.remove { _id: userId } # Remove user from users database - return true \ No newline at end of file + return true diff --git a/server/methods/updateMessage.coffee b/server/methods/updateMessage.coffee index dffe9ea5a4912..2db3f603664b3 100644 --- a/server/methods/updateMessage.coffee +++ b/server/methods/updateMessage.coffee @@ -6,6 +6,11 @@ Meteor.methods if not RocketChat.settings.get 'Message_AllowEditing' throw new Meteor.Error 'message-editing-not-allowed', "[methods] updateMessage -> Message editing not allowed" + user = Meteor.users.findOne Meteor.userId() + + unless user?.admin is true or message.u._id is Meteor.userId() + throw new Meteor.Error 'not-authorized', '[methods] updateMessage -> Not authorized' + console.log '[methods] updateMessage -> '.green, 'userId:', Meteor.userId(), 'arguments:', arguments # If we keep history of edits, insert a new message to store history information @@ -31,4 +36,4 @@ Meteor.methods $set: message # Meteor.defer -> - # RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id) \ No newline at end of file + # RocketChat.callbacks.run 'afterSaveMessage', ChatMessage.findOne(message.id) From 804b2e0daa4c48d8d71a2e28b8d58bd1e5b14a1a Mon Sep 17 00:00:00 2001 From: Aaron Date: Fri, 28 Aug 2015 18:59:39 -0500 Subject: [PATCH 2/3] Fixed typo --- server/methods/deleteUser.coffee | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/methods/deleteUser.coffee b/server/methods/deleteUser.coffee index af4fee1ad0f68..c0487c5d7745d 100644 --- a/server/methods/deleteUser.coffee +++ b/server/methods/deleteUser.coffee @@ -3,7 +3,8 @@ Meteor.methods if not Meteor.userId() throw new Meteor.Error('invalid-user', "[methods] deleteUser -> Invalid user") - user = Meteor.users.findOne userId() + user = Meteor.users.findOne userId + unless user?.admin is true throw new Meteor.Error 'not-authorized', '[methods] deleteUser -> Not authorized' From 3538f9e1d55799dc377446c6684bed0a3af554bb Mon Sep 17 00:00:00 2001 From: Aaron Date: Sat, 29 Aug 2015 08:59:30 -0500 Subject: [PATCH 3/3] fixed. Forgot this is an action that's only triggered from admin panel. --- server/methods/deleteUser.coffee | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/server/methods/deleteUser.coffee b/server/methods/deleteUser.coffee index c0487c5d7745d..678196ba0779f 100644 --- a/server/methods/deleteUser.coffee +++ b/server/methods/deleteUser.coffee @@ -2,12 +2,12 @@ Meteor.methods deleteUser: (userId) -> if not Meteor.userId() throw new Meteor.Error('invalid-user', "[methods] deleteUser -> Invalid user") - - user = Meteor.users.findOne userId + user = Meteor.users.findOne Meteor.userId() unless user?.admin is true throw new Meteor.Error 'not-authorized', '[methods] deleteUser -> Not authorized' + user = Meteor.users.findOne userId unless user? throw new Meteor.Error 'not-found', '[methods] deleteUser -> User not found' @@ -18,6 +18,10 @@ Meteor.methods if room.t isnt 'c' and room.usernames.length is 1 ChatRoom.remove subscription.rid # Remove non-channel rooms with only 1 user (the one being deleted) + + + + ChatSubscription.remove { "u._id": userId } # Remove user subscriptions rooms = ChatRoom.find({ "u._id": userId }).fetch() @@ -27,4 +31,4 @@ Meteor.methods ChatRoom.update {}, { $pull: { usernames: user.username } }, { multi: true } # Remove user from all other rooms Meteor.users.remove { _id: userId } # Remove user from users database - return true + return true \ No newline at end of file